Ethical hacker Elliot Alderson who first flagged the privacy concerns in the coronavirus contact tracing app Aarogya Setu explained the security flaws in a blog. He further stated that based on the flaws, he could figure out that five people at the PMO and two at the Indian Army Headquarters in Delhi felt unwell. He explained that the Aarogya Setu app is not supposed to disclose a corona patient's location but merely tell the user that there are cases around him.
On Wednesday, Alderson published a blog and stated why he thinks the app has security flaws. The two main concerns he points out is that anyone can access the internal database and that anyone can see who is sick anywhere in India, which violates privacy.
"With only 1 click, an attacker can open any app internal file, including the local database used by the app called fight-covid-db," he says in his blog. He says that he spent less than two hours to figure out the flaws. He found that an activity called WebViewActivity was acting unusually and upon researching found that the activity has no host validation at all. He said he then tried to open an internal file, which opened up easily. He alleges that the flaw was "quietly fixed" by the developers.
The second flaw he says is a privacy one. Alderson says that anyone can manipulate the location and distance at the backend. On the app, one can scan an area of 500m, 1km, 2km, 5km or 10km radius.The French hacker said, "The 1st thing I tried was to modify the location to see if I was able to get information anywhere in India. The 2nd thing was to modify the radius to 100kms to see if I was able to get info with a radius which is not available in the app. As you can see in the previous screenshot, I set my location to New Delhi and set the radius to 100kms and it worked!"
I wrote an article to describe the issues I reported to the @SetuAarogya. I hope it will allow people to understand the situation and why it's an important issue. I hope you like it, all feedbacks are welcome!May 6, 2020
"Thanks to this endpoint an attacker can know who is infected anywhere in India, in the area of his choice. I can know if my neighbour is sick for example. Sounds like a privacy issue for me," he added.
He explained that based on the flaws he could figure out that five people felt unwell at the PMO office, two at the Indian Army Headquarters, one person was infected at the Indian parliament and three at the Home Office.
Alderson stated that the app is not supposed to tell you the location of corona patients. "The first issue is a security issue and the second is a privacy issue. If you don't care about privacy, fine for you but it's still a privacy issue," he said.
- No the purpose of the app is not to know the location of ill patients
- The 1st issue I found is a security issue, the 2nd issue a privacy issue.
- If you don't care about privacy, fine for you but it's still a privacy issue.- Elliot Alderson (@fs0c131y) May 6, 2020
"I took the time to write this article for two reasons: I want to be transparent. You have all the info, even the technical info. Sharing is caring. Maybe it will give ideas to other bug bounty hunters and security lovers in general," he tweeted after releasing the explanation.
On May 5, Alderson took to social media to tell the Aarogya Setu app that there are security flaws in their platform that puts the data of 90 million Indians at risk. Soon after the tweet, Aarogya Setu took to Twitter to respond to the privacy flaws criticism and stated that no user's data was at risk.